For the past week, something strange has been going on in the European internet. For five days, web traffic from Texas to certain addresses in the UK has been routed through Ukrainian and Russian telecoms, taking a detour thousands of miles out of the way. Network traffic often takes a circuitous route as a result of network congestion or interconnection difficulties, but neither one would be enough to account for these routes. Instead, this was the result of a bad route announced by Ukraine's Vega telecom, inserting itself in between. "At this point, I have to believe this was an innocent mistake by Vega," said Dyn's Doug Madory, who first discovered the redirection, "but it's concerning nonetheless."
"At this point, I have to believe this was an innocent mistake."
This phenomenon is known as "route hijacking," and it's a common security concern for network engineers and security researchers alike. It's particularly disconcerting because of the sensitive nature of many of the sites involved. Among the dozens of sites involved was the UK's Atomic Weapons Establishment, which is tasked with managing and delivering the UK's nuclear warheads, as well as the UK's official mail service, the Royal Mail. US defense contractor Lockheed Martin was also running a VPN connection that was caught up in the redirection.
VPN traffic would have been encrypted, as well as almost all email traffic, but anyone listening in on email traffic would have been able to read the IP addresses of the parties involved. Even worse, any site serving data over unencrypted HTTP would have been entirely in the clear, and potentially exposed to injection attacks by a malicious third party with access to an intermediate network. (Both AWE and Royal Mail serve their sites over unencrypted HTTP.) Because of the public nature of the routing table, it's easy to see exactly when and how the route hijacking occurred, but why is still a mystery, and we can't say for sure whether any data was altered in transit.
It's still likely that the redirection was simply an innocent error, but it underscores the insecure nature of the global routing system. While much of the web has grown more wary of digital attack, routing is still based on trust, with networks freely announcing routes and friendly telecoms adopting them as a matter of habit. As a result, inefficient and potentially insecure routes like this one can linger for days without being corrected, without the parties involved ever being aware of them.
The full traceroute is below, with the Ukrainian telecom visible at line 11 and Russian interconnection at 12 and 13:
trace from Houston, TX to Atomic Weapons Establishment at 03:22 Mar 12, 2015
2 220.127.116.11 ae12.dar02.sr02.hou02.networklayer.com 2.948
3 18.104.22.168 ae9.bbr02.sr02.hou02.networklayer.com 0.3
4 22.214.171.124 ae3.bbr02.eq01.dal03.networklayer.com 8.133
5 126.96.36.199 ae1.bbr01.tl01.atl01.networklayer.com 28.524
6 188.8.131.52 ae0.bbr01.eq01.wdc02.networklayer.com 42.033
7 184.108.40.206 ae7.bbr02.eq01.wdc02.networklayer.com 40.167
8 220.127.116.11 ae0.bbr01.eq01.ams02.networklayer.com 118.838
9 18.104.22.168 ae0.bbr02.xn01.fra01.networklayer.com 124.983
10 22.214.171.124 ae7.bbr01.xn01.fra01.networklayer.com 124.133
11 126.96.36.199 edge-3-2-5-231.kiev.ucomline.net 154.988
12 188.8.131.52 ae2-241.RT.NTL.KIV.UA.retn.net 155.174
13 184.108.40.206 ae2-10.RT.TC2.LON.UK.retn.net 158.221
14 220.127.116.11 linx1.ukcore.bt.net 161.442
15 18.104.22.168 (BTnet inter-pop routes, GB) 166.986
16 22.214.171.124 core1-pos1-1.birmingham.ukcore.bt.net 163.205
17 126.96.36.199 vhsaccess1-pos7-0.birmingham.fixed.bt.net 164.139
18 188.8.131.52 (Atomic Weapons Establishment, GB) 177.4